是否可以将会话ID存储在localStorage中？ [英] Is it okay to store session id in localStorage?

问题描述

将用户的会话ID存储在 localStorage 中是否安全？在 w3.org网站上，他们说

Is it secure to store user's session id in localStorage? On w3.org site, they say

当localStorage
属性最初返回的任何Storage对象的
成员都被脚本访问时，用户代理必须引发SECURITY_ERR异常，脚本的有效脚本来源是不是
与Window对象的Document的原点相同，其中
访问了localStorage属性。

User agents must raise a SECURITY_ERR exception whenever any of the members of a Storage object originally returned by the localStorage attribute are accessed by scripts whose effective script origin is not the same as the origin of the Document of the Window object on which the localStorage attribute was accessed.

<那么这是否意味着localStorage可用于敏感数据？

So does this mean localStorage could be used for sensitive data?

推荐答案

这取决于你的意思它是否安全？

It depends upon what you mean by "is it secure"?

localStorage与非路径限制cookie一样安全。从网页中，只能通过同一域中的页面访问它。数以万计的网站将会话ID存储在与localStorage具有大致相同安全限制的cookie中。

localStorage is about as secure as a non-path restricted cookie. From web pages, it can only be accessed by pages from the same domain. Zillions of sites store session ids in cookies which have about the same security restrictions as localStorage.

在网页之外，localStorage和cookies都不是安全的，不会被其他网站访问程序甚至是运行在同一台计算机上的网络调试工具。

Outside of web pages, neither localStorage nor cookies are secure at all from access by other programs or even web debugging tools running on the same computer.

这篇关于是否可以将会话ID存储在localStorage中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！